056
ENTERPRISE SECURITY BLUEPRINT
APPENDIX
A
Segmentation
The segmentation architecture is constructed as follows:
Step 1
Each atomic segment contains server hosts and network elements that share a simple
security profile that is defined in relation to business objectives (system ownership, business
owners, management responsibilities), assets (information ownership, volume of information,
service level), access (users, applications, operational profile) and assurances (physical, host,
network). For example, a messaging application and an ERP application would be separated as
they most likely have different security profiles.
Step 2
Hierarchical grouping is used to segment areas of the data center that have distinctly
different security profiles. For example, some applications may be authorized for access by a
restricted set of users, others may be used by any user in the organization, still others may be
intended for customer use only. Place applications that are purposed for specific business units in
dedicated segments separated from those used enterprise-wide.
While each segment is responsible for its own self-protection, security controls often rely on
shared services such as authentication and privilege management, time servers, SIEM systems,
network management, etc. These infrastructure services should be located within dedicated
segments for controlled interactions with other segments
The hierarchical grouping process is iterated until all data center assets have been defined within
a controlled segment boundary. The end result may be a single (complex) segment or multiple
physically separated segments as depicted in Figure A-C below
Step 3
Each segment is protected using an enforcement point at the segment boundary. By
using VLANs, a single security gateway appliance connected to a switch trunk interface can be
used to provide protection for large numbers of server segments. Where segment separation is
impractical, on-host security controls can be configured to prevent unauthorized interactions
between servers with security policy profile differentials.
Once a segmentation model has been constructed, the network can be designed based on the
model and can include security products at the modeled enforcement points, ensuring that
network flows for each defined segment are funneled through these enforcement points
Step 4
Where two segments interact, the network path for the interaction should be identified.
If all network elements supporting the interaction are included in either segment or in a
hierarchically superior segment, the security policy for the corresponding segments should be
consulted for network security control application. Where this path is not fully controlled
(e.g., it traverses an IP backbone managed by a third party), there may exist threats pertaining
to disclosure or modification of data in transit. A cryptographically protected trusted channel
(VPN) established between the two segments should be used for such interactions.
